Platform
php
Component
filethingie
Fixed in
2.5.8
CVE-2019-25471 describes a critical arbitrary file access vulnerability discovered in FileThingie. This flaw allows attackers to upload and execute malicious files, potentially leading to complete system compromise. The vulnerability impacts FileThingie versions 2.5.7 through 2.5.7. A patch is available in version 2.5.8.
The primary impact of CVE-2019-25471 is the ability for an attacker to gain arbitrary code execution on a system running FileThingie. By crafting a malicious ZIP archive containing PHP shell scripts and uploading it through the ft2.php endpoint, an attacker can leverage FileThingie's unzip functionality to extract the shell into a publicly accessible directory. Subsequently, the attacker can execute arbitrary commands on the server, potentially leading to data theft, system takeover, or denial of service. The blast radius extends to any sensitive data stored or processed by the FileThingie application, and the attacker could potentially pivot to other systems on the network.
CVE-2019-25471 is a high-severity vulnerability with a CVSS score of 9.8. Public proof-of-concept exploits are likely to emerge given the ease of exploitation. While no active campaigns have been publicly confirmed, the vulnerability's simplicity makes it an attractive target for opportunistic attackers. The vulnerability was published on 2026-03-11.
Exploit Status
EPSS
0.20% (42% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2019-25471 is to immediately upgrade FileThingie to version 2.5.8 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. These may include restricting file uploads to specific file types, implementing strict input validation on the ft2.php endpoint to prevent ZIP uploads, and configuring a Web Application Firewall (WAF) to block requests containing malicious ZIP files. Monitor access logs for suspicious file upload attempts. After upgrading, confirm the fix by attempting to upload a test ZIP file containing a harmless PHP script and verifying that the upload fails or is properly sanitized.
Actualice FileThingie a la versión 2.5.8 o posterior para mitigar la vulnerabilidad de carga arbitraria de archivos. Verifique y restrinja los tipos de archivos permitidos para la carga a través del endpoint ft2.php. Implemente una validación robusta de los archivos cargados para prevenir la ejecución de código malicioso.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25471 is a critical vulnerability in FileThingie versions 2.5.7–2.5.7 that allows attackers to upload and execute malicious files, potentially leading to system compromise.
If you are using FileThingie version 2.5.7, you are vulnerable to this attack. Upgrade to version 2.5.8 or later to mitigate the risk.
The recommended fix is to upgrade FileThingie to version 2.5.8 or later. As a temporary workaround, restrict file uploads and implement WAF rules.
While no active campaigns have been confirmed, the vulnerability's simplicity makes it a likely target for attackers. Vigilance and prompt patching are crucial.
Refer to the FileThingie project's official website or security advisories for the most up-to-date information and guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.